Closed Bug 1887702 Opened 2 months ago Closed 2 months ago

Crash in [@ js::gc::AllocSite::zone]

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
ARM64
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1639157
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/f085a621-d0a1-46a4-9d34-77f6a0240323

Reason: SIGSEGV / SEGV_ACCERR

Top 10 frames of crashing thread:

0  libxul.so  js::gc::AllocSite::zone const  js/src/gc/Pretenuring.h:145
0  libxul.so  js::gc::NurseryCellHeader::zone const  js/src/gc/Heap.h:770
0  libxul.so  js::gc::Cell::nurseryZoneFromAnyThread const  js/src/gc/Cell.h:390
0  libxul.so  js::gc::Cell::nurseryZone const  js/src/gc/Cell.h:384
0  libxul.so  js::gc::TenuringTracer::promoteObjectSlow  js/src/gc/Tenuring.cpp:702
0  libxul.so  js::gc::TenuringTracer::onNonForwardedNurseryObject  js/src/gc/Tenuring.cpp:98
0  libxul.so  js::gc::TenuringTracer::traverse  js/src/gc/Tenuring.cpp:203
0  libxul.so  js::gc::TenuringTracer::traceSlots  js/src/gc/Tenuring.cpp:605
0  libxul.so  js::gc::TenuringTracer::traceObjectSlots const  js/src/gc/Tenuring.cpp:593
0  libxul.so  js::NativeObject::forEachSlotRangeUnchecked<js::gc::TenuringTracer::traceObjectSlots  js/src/vm/NativeObject.h:800

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-03-20
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 3 out of 20 crashes happened on null or near null memory address

By analyzing the backtrace, the regression may have been introduced by a patch [1] to fix Bug 1787526.

[1] https://hg.mozilla.org/mozilla-central/rev?node=81f2b46b7289

:jonco, since you are the author of the potential regressor, could you please take a look?

Flags: needinfo?(jcoppeard)

The bug is marked as tracked for firefox126 (nightly). However, the bug still isn't assigned.

:sdetar, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(sdetar)

jonco, is this bug actionable?

Flags: needinfo?(sdetar)

This is a signature shift from js::gc::AllocSite::incTenuredCount caused by code changes in bug 1787526.

Status: NEW → RESOLVED
Closed: 2 months ago
Duplicate of bug: 1639157
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.